boss Bill Gates on Wednesday issued a software security progress report, highlighting “significant investments” in four key areas.
In an executive e-mail to customers, Gates promised the software giant would continue to spend heavily on isolation and resiliency, software updating, software quality and authentication and access control.
“Malicious software code has been around for decades. But only in the last few years have the Internet, high-speed connections and millions of new computing devices converged to create a truly global computing network in which a virus or worm can circle the world in a matter of minutes,” Gates said, noting that criminal hackers have become more sophisticated.
In his e-mail progress report, the Microsoft chairman said malicious attackers had taken the offensive by “creating and distributing digital epidemics like Slammer, Blaster, Sobig and Mydoom that spread almost instantaneously, threatening the potential of technology to advance business productivity, commerce and communication.”
As the threats evolve, Gates said Microsoft would commit major investments in customer education and partnerships aimed at creating a more secure computing environment.
“Given human nature, evolving threat models and the increasing interconnectedness of computers, the number of security exploits will never reach zero. But we can dramatically blunt the impact of cyber criminals, and are dedicating a major portion of our R&D investments to security advances.”
In the area of “Isolation and Resiliency,” Gates pointed to the coming Windows XP Service Pack 2 (SP2), which is currently in beta and due for release in late spring/early summer.
With XP SP2, Microsoft is revamping the operating system to address Network Protection; Safer Web Browsing; Safer E-mail and Instant Messaging and Memory Protection.
He said Microsoft was partnering with microprocessor companies like Intel
to help Windows support hardware-enforced data execute protection (also known as NX, or no execute). “NX uses the CPU to mark all memory locations in an application as non-executable unless the location explicitly contains executable code. This way, when an attacking worm or virus inserts program code into a portion of memory marked for data only, it cannot be run,” he explained.
He also detailed security-centric changes being planned for Windows Server 2003, Internet Security and Acceleration Server 2004, Exchange Edge Services and Active protection technologies.
Exchange Edge Services, for instance, is a new technology designed to block incoming or outgoing malicious e-mail and junk mail, defend against e-mail server attacks and e-mail-borne viruses, and encrypt messages to optimize for security. “It is also designed to provide a foundation on which third-party developers can build technologies such as next-generation email filters, email encryption products and email compliance solutions,” Gates explained.
Gates announced plans to host Security Summits in 21 U.S. cities to provide security training for IT and developer professionals.